Feanil

Name of the Vulnerable Software and Affected Versions: Open edX Platform versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper Description: The issue is related to inadequate access control in the Open edX Platform, specifically with the AWS S3 Bucket Handler component. This may allow a remote attacker to disclose protected information. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard, and with certain storage backends, these uploads may become publicly available. The patch ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Recommendations: For versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper, apply the patch in commit cb729a3ced0404736dfa0ae768526c82b608657b to ensure that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, ensure that existing cohorts uploads have a private ACL, or take other precautions to avoid public access.

**Name of the Vulnerable Software and Affected Versions** Open edX Platform versions prior to the version containing commit 019888f **Description** The issue affects the Open edX Platform, a service-oriented platform for authoring and delivering online learning. A user with a JWT and limited scopes could call `API Endpoints` exceeding their access. **Recommendations** For versions prior to the version containing commit 019888f, update to a version that includes the patch commit 019888f to resolve the issue. As a temporary workaround, consider restricting access to sensitive `API Endpoints` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Drag and Drop XBlock v2 versions prior to 3.0.0 **Description** The issue affects the Drag and Drop XBlock v2, which implements a drag-and-drop style problem. It is vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. **Recommendations** For versions prior to 3.0.0, update to version 3.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable XBlock Fields until the patch is applied. There are no known workarounds for this issue.